Raimo,
Can you use the spamd.alloweddomains to whitelist email addresses and
domains you accept mail for? Any email sent to your mail server that is not
on the list will only goto spamd and never get the chance to be
greylisted/whitelisted. Then you could write a simple script to look
through the spamd logs of BLACK entries.
cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort | uniq
...and add the offending ips to a block table with a cron job running a few
times a day. This page might give you some more ideas:
Spamd tarpit/greylisting anti-spam "how to" (spamdb)
http://calomel.org/spamd_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
>Apparently we (our mail server) got targeted by a zombie network
>since suddenly there were some 30000 hosts on spamd's whitelist,
>continously some 600 connections to spamd, and only mails to
>unknown users coming in. The network connection was flooded,
>the web server sluggish, downloads creeped, basically
>nothing worked.
>
>Can spamd do anything about zombie hosts? They behave like
>normal MTAs so they will pass spamd's behavioural tests, right?
>
>Now I analyze the greylist, do some heuristics on the
>sender address (among other things) and trap the bad hosts.
>The trapped hosts are then copied to a pf table to be blocked
>in the firewall. Tarpitting them through spamd is simply
>too much work for the mail server, but blocking works fine.
>
>Here come the questions:
>
>* Does anyone know of a good strategy against zombie network
>spam attacks?
>
>* To make the greylist heuristics validate recepients and
>blacklist hosts that send to invalid recepients would
>blacklist valid MTAs that send bounces of mails with
>fake sender addresses to me, right? And that would be
>too cruel, or? Because it would certainly decrease
>the spam amount.
>
>* To make the greylist herustics validate the hosts
>by reverse DNS PTR lookup and then forward A lookup
>is apparetly a debatable issue according to the
>current thread "running mail server at home".
>But if it is (fairly) common practice it would
>be a simple thing to do, and certainly decrease
>spam volume. But would it be to narrow?
>
>--
>
>/ Raimo Niskanen, Erlang/OTP, Ericsson AB
